test(integration): add BoringSSL cohort to expand mTLS coverage

[kaukabrizvi]

Goal

This PR does two things:

• Adds BoringSSL to our integration tls cohort
• Expand mTLS test coverage to include boring ↔ s2n.

Why

The mTLS tests were introduced to ensure that s2n can interop with peers for basic, synchronous callback, and asynchronous callback cases. This PR continues that work by expanding coverage. Currently, the tests only assert on interoperability with rustls, this PR adds cases for BoringSSL. This also sets the foundation to add more integration test coverage with BoringSSL as a peer in the future.

How

Adds a dependency on my fork of BoringSSL (see callouts section) for the integration and tls-harness crates. Adds a module for the boringssl harness which matches most of the flow in the OpenSSL harness. Integrates BoringSSL into the mTLS test, following the same flow of existing tests, adding cases for BoringSSL as the peer.

Callouts

• BoringSSL normally collides with OpenSSL’s symbols, which affects our tls-harness since it links both libraries in the same test binary (see Prefixing BoringSSL symbols cloudflare/boring#197). To avoid this, the tests temporarily depend on my fork that builds a symbol-prefixed BoringSSL in Unix. If boring-sys ends up providing upstream symbol-prefixing, this temporary dependency can be removed. To automatically keep the fork up to date, I have installed https://wei.github.io/pull/ on the fork.
• macOS gating: The symbol-prefixing flow in my boring fork currently relies on objcopy, which is not available by default on our macOS CI runners. To keep macOS builds working in CI, this PR gates the BoringSSL dependency and harness code behind cfg(not(target_os = "macos")). In practice, that means:
  • On Linux, we build and run the full BoringSSL harness and mTLS tests as normal.
  • On macOS, the BoringSSL dev-dependency and harness are not compiled in, so the tests fall back to the existing rustls-based coverage only.
    Once we have a reliable macOS path (potentially via Add symbol prefixing feature for BoringSSL cloudflare/boring#401), we can remove this target-specific gate.
• Reviewers should also review my symbol prefix enabled fork of boring here: feat: add optional Unix-only BoringSSL symbol prefixing kaukabrizvi/boring#1

Testing

• BoringSSL passes the generic handshake and data-transfer tests in tls-harness, confirming successful linking alongside OpenSSL.
• All new mTLS paths (basic, sync, async) run through the existing harness helpers across s2n ↔ BoringSSL for TLS 1.2 and TLS 1.3.
• This PR was initially failing the Rust Bindings / generate (macOS-latest) test in CI beacuse of the issue with objcopy discussed in the callouts section. With OS-gating to ensure BoringSSL does not build on macOS, the test passes.

Related

• test(integration): add mTLS integration tests #5638: The boringssl test cases follow the same flow/layout introduced for rustls in this PR.
• Add symbol prefixing feature for BoringSSL cloudflare/boring#401: An Open PR exists to introduce symbol prefixing in BoringSSL, if this PR is merged and supports macOS we can remove the dependency on my fork and the macOS gating.

mTLS coverage is the primary goal of this PR, though future work could include expanding other tests now that BoringSSL is supported in the harness.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[jmayclin]

I'm fine with this, but can we just open an issue to find a way to "time bomb" ourselves? I'd like our CI to fail if your fork goes more than e.g. 6 months without a commit. "trust but verify" 😉

[kaukabrizvi]

I’ve installed https://wei.github.io/pull/ on the fork, which should help keep it in check. That said, an additional guardrail would be useful - I’ll open a follow-up issue after this lands to add a CI “time-bomb” so the fork doesn’t silently go stale.